Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting hostname from event and then checking presence of computer account in ActiveDirectory using extracted text

dmcinnis
New Member
‎11-29-2013 06:02 AM

Hi Everyone,

I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result

Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?

Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.

Many thanks
David.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2013 12:36 PM

It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.

The subsearch as answered by yannK does solve your problem, provided you use the ldapsearch search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.

If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

Reply
Solved! Jump to solution

dmcinnis
New Member
‎12-16-2013 05:08 AM

Many thanks, I messed up when marking answers so you should both get the nod for answering my question

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-29-2013 08:08 AM

you can use 'ldapfilter' command to query against LDAP in the search.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...